Agent Trust Fabric

What this is. SecurityRecipes is positioned as The Secure Context Layer for Agentic AI. The Agent Trust Fabric is the single runtime verdict that tells an agent host, MCP gateway, SOC workflow, or reviewer: this agent run is trusted, needs step-up, is untrusted, or must be killed.

The product bet

Enterprise reviewers do not want a pile of agent safety checklists. They want one answer before an agent touches tools or private context:

Can we trust this agent, for this workflow, in this tenant, right now?

The Agent Trust Fabric composes six dimensions into that answer:

  1. Identity - who the agent is, which delegated identity it is using, and whether that identity still has valid scope.
  2. Context - what the agent is consuming, whether the context is fresh, and whether poisoning signals were found.
  3. Scope - where the agent can go and which action class is being attempted.
  4. Behavior - what the agent is doing in real time and whether telemetry can reconstruct the run.
  5. Data boundary - what the agent is sending or serving outside the trust boundary.
  6. Containment - whether kill switches, SOC detections, and hosted MCP controls can stop the run when prevention fails.

That is the review-ready wedge: open knowledge creates adoption; the production MCP server becomes the control point that signs trust verdicts for customer-private agent runs.

What was added

  • data/assurance/agent-trust-fabric-profile.json - source contract for trust dimensions, tiers, runtime fields, source references, and trusted-source path.
  • data/evidence/agent-trust-fabric-pack.json - generated MCP-readable trust fabric evidence.
  • recipes_agent_trust_fabric_pack - MCP lookup by dimension, workflow, trust tier, or status.

Evaluate a trusted scoped run:

Evaluate a trust break:

What is inside

Section Purpose
trust_fabric_summary Dimension count, workflow count, trust-tier distribution, source pack count, and failure count.
trust_contract Default fail-closed state, required runtime fields, score thresholds, evidence sources, and kill signals.
trust_dimensions The identity, context, scope, behavior, data-boundary, and containment checks, with MCP tools and evidence paths.
trust_tiers Intern, Apprentice, Operator, and Principal tiers with score gates and allowed actions.
workflow_trust_matrix Generated default trust tier and risk flags for every active workflow.
tabletop_cases Ready-made allow, hold, deny, and kill cases for platform testing.
source_artifacts Hashes and paths for each evidence pack used to build the trust fabric.

MCP examples

Get the executive summary and trust matrix:

{}

Inspect one dimension:

{
  "dimension_id": "identity"
}

Inspect a workflow:

{
  "workflow_id": "vulnerable-dependency-remediation"
}

Find workflows that default to Operator:

{
  "trust_tier": "operator"
}

Evaluate one agent trust request:

{
  "workflow_id": "vulnerable-dependency-remediation",
  "run_id": "run-123",
  "agent_id": "sr-agent::vulnerable-dependency-remediation::codex",
  "identity_id": "sr-agent::vulnerable-dependency-remediation::codex",
  "tenant_id": "tenant-a",
  "correlation_id": "corr-123",
  "trust_event_id": "trust-123",
  "requested_trust_tier": "operator",
  "intent_summary": "Patch dependency lockfiles on a scoped remediation branch.",
  "context_package_hash": "sha256:context",
  "policy_pack_hash": "sha256:policy",
  "authorization_decision": "allow_authorized_mcp_request",
  "egress_decision": "allow_internal_context",
  "action_runtime_decision": "allow_bounded_action",
  "telemetry_decision": "telemetry_ready",
  "soc_decision": "no_alert",
  "telemetry_event_id": "trace-123",
  "receipt_id": "receipt-123",
  "source_freshness_decision": "current",
  "human_approval_record": {
    "approval_id": "approval-123",
    "status": "approved"
  }
}

Why it is review-ready

The trust fabric makes the site easier to understand and easier to sell. It creates one cross-vendor primitive that xAI, Anthropic, OpenAI, an AI platform vendor, or a security vendor could attach to agent hosts, MCP gateways, customer telemetry, and trust-center exports:

  • hosted trust scoring APIs,
  • signed agent trust verdicts,
  • customer policy adapters,
  • SOC/SIEM export,
  • procurement evidence export,
  • runtime step-up and kill decisions,
  • trust-center proof for design partners,
  • a direct bridge from open knowledge to production MCP enforcement.

Industry alignment

The pack is anchored in current primary guidance:

See also